From 95a83c45f5b7855c46d9cb7126f87f2c70fce840e2f9a53ee74996376537fc0d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= <tchvatal@suse.com>
Date: Wed, 3 Jul 2019 10:52:49 +0000
Subject: [PATCH] Accepting request 713209 from
 home:pmonrealgonzalez:branches:devel:libraries:c_c++

- Security fix: [bsc#1140101, CVE-2019-13118]
  * Fix uninitialized read with UTF-8 grouping chars. Read of
    uninitialized stack data due to too narrow xsl:number
    instruction and an invalid character
  * Added libxslt-CVE-2019-13118.patch

- Security fix: [bsc#1140095, CVE-2019-13117]
  * Fix uninitialized read of xsl:number token. An xsl number with
    certain format strings could lead to a uninitialized read in
    xsltNumberFormatInsertNumbers
  * Added libxslt-CVE-2019-13117.patch

- Security fix: [bsc#1140101, CVE-2019-13118]
  * Fix uninitialized read with UTF-8 grouping chars. Read of
    uninitialized stack data due to too narrow xsl:number
    instruction and an invalid character
  * Added libxslt-CVE-2019-13118.patch

- Security fix: [bsc#1140095, CVE-2019-13117]
  * Fix uninitialized read of xsl:number token. An xsl number with
    certain format strings could lead to a uninitialized read in
    xsltNumberFormatInsertNumbers
  * Added libxslt-CVE-2019-13117.patch

OBS-URL: https://build.opensuse.org/request/show/713209
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libxslt?expand=0&rev=73
---
 libxslt-CVE-2019-13117.patch | 29 +++++++++++++++
 libxslt-CVE-2019-13118.patch | 71 ++++++++++++++++++++++++++++++++++++
 libxslt-python.changes       | 18 +++++++++
 libxslt-python.spec          |  6 +++
 libxslt.changes              | 18 +++++++++
 libxslt.spec                 |  8 +++-
 6 files changed, 149 insertions(+), 1 deletion(-)
 create mode 100644 libxslt-CVE-2019-13117.patch
 create mode 100644 libxslt-CVE-2019-13118.patch

diff --git a/libxslt-CVE-2019-13117.patch b/libxslt-CVE-2019-13117.patch
new file mode 100644
index 0000000..8fdae24
--- /dev/null
+++ b/libxslt-CVE-2019-13117.patch
@@ -0,0 +1,29 @@
+From c5eb6cf3aba0af048596106ed839b4ae17ecbcb1 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 27 Apr 2019 11:19:48 +0200
+Subject: [PATCH] Fix uninitialized read of xsl:number token
+
+Found by OSS-Fuzz.
+---
+ libxslt/numbers.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/libxslt/numbers.c b/libxslt/numbers.c
+index 89e1f668..75c31eba 100644
+--- a/libxslt/numbers.c
++++ b/libxslt/numbers.c
+@@ -382,7 +382,10 @@ xsltNumberFormatTokenize(const xmlChar *format,
+ 		tokens->tokens[tokens->nTokens].token = val - 1;
+ 		ix += len;
+ 		val = xmlStringCurrentChar(NULL, format+ix, &len);
+-	    }
++	    } else {
++                tokens->tokens[tokens->nTokens].token = (xmlChar)'0';
++                tokens->tokens[tokens->nTokens].width = 1;
++            }
+ 	} else if ( (val == (xmlChar)'A') ||
+ 		    (val == (xmlChar)'a') ||
+ 		    (val == (xmlChar)'I') ||
+-- 
+2.21.0
+
diff --git a/libxslt-CVE-2019-13118.patch b/libxslt-CVE-2019-13118.patch
new file mode 100644
index 0000000..3ff8916
--- /dev/null
+++ b/libxslt-CVE-2019-13118.patch
@@ -0,0 +1,71 @@
+From 6ce8de69330783977dd14f6569419489875fb71b Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 3 Jun 2019 13:14:45 +0200
+Subject: [PATCH] Fix uninitialized read with UTF-8 grouping chars
+
+The character type in xsltFormatNumberConversion was too narrow and
+an invalid character/length combination could be passed to
+xsltNumberFormatDecimal, resulting in an uninitialized read.
+
+Found by OSS-Fuzz.
+---
+ libxslt/numbers.c         | 5 +++--
+ tests/docs/bug-222.xml    | 1 +
+ tests/general/bug-222.out | 2 ++
+ tests/general/bug-222.xsl | 6 ++++++
+ 4 files changed, 12 insertions(+), 2 deletions(-)
+ create mode 100644 tests/docs/bug-222.xml
+ create mode 100644 tests/general/bug-222.out
+ create mode 100644 tests/general/bug-222.xsl
+
+diff --git a/libxslt/numbers.c b/libxslt/numbers.c
+index f1ed8846..20b99d5a 100644
+--- a/libxslt/numbers.c
++++ b/libxslt/numbers.c
+@@ -1298,13 +1298,14 @@ OUTPUT_NUMBER:
+     number = floor((scale * number + 0.5)) / scale;
+     if ((self->grouping != NULL) &&
+         (self->grouping[0] != 0)) {
++        int gchar;
+ 
+ 	len = xmlStrlen(self->grouping);
+-	pchar = xsltGetUTF8Char(self->grouping, &len);
++	gchar = xsltGetUTF8Char(self->grouping, &len);
+ 	xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
+ 				format_info.integer_digits,
+ 				format_info.group,
+-				pchar, len);
++				gchar, len);
+     } else
+ 	xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
+ 				format_info.integer_digits,
+diff --git a/tests/docs/bug-222.xml b/tests/docs/bug-222.xml
+new file mode 100644
+index 00000000..69d62f2c
+--- /dev/null
++++ b/tests/docs/bug-222.xml
+@@ -0,0 +1 @@
++<doc/>
+diff --git a/tests/general/bug-222.out b/tests/general/bug-222.out
+new file mode 100644
+index 00000000..e3139698
+--- /dev/null
++++ b/tests/general/bug-222.out
+@@ -0,0 +1,2 @@
++<?xml version="1.0"?>
++1⠢0
+diff --git a/tests/general/bug-222.xsl b/tests/general/bug-222.xsl
+new file mode 100644
+index 00000000..e32dc473
+--- /dev/null
++++ b/tests/general/bug-222.xsl
+@@ -0,0 +1,6 @@
++<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
++  <xsl:decimal-format name="f" grouping-separator="⠢"/>
++  <xsl:template match="/">
++    <xsl:value-of select="format-number(10,'#⠢0','f')"/>
++  </xsl:template>
++</xsl:stylesheet>
+-- 
+2.21.0
+
diff --git a/libxslt-python.changes b/libxslt-python.changes
index d941169..ad88657 100644
--- a/libxslt-python.changes
+++ b/libxslt-python.changes
@@ -1,3 +1,21 @@
+-------------------------------------------------------------------
+Tue Jul  2 15:02:27 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
+
+- Security fix: [bsc#1140101, CVE-2019-13118]
+  * Fix uninitialized read with UTF-8 grouping chars. Read of
+    uninitialized stack data due to too narrow xsl:number
+    instruction and an invalid character
+  * Added libxslt-CVE-2019-13118.patch
+
+-------------------------------------------------------------------
+Tue Jul  2 15:00:56 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
+
+- Security fix: [bsc#1140095, CVE-2019-13117]
+  * Fix uninitialized read of xsl:number token. An xsl number with
+    certain format strings could lead to a uninitialized read in
+    xsltNumberFormatInsertNumbers
+  * Added libxslt-CVE-2019-13117.patch
+
 -------------------------------------------------------------------
 Thu Apr 11 06:06:01 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
 
diff --git a/libxslt-python.spec b/libxslt-python.spec
index 1c23d4a..9158a77 100644
--- a/libxslt-python.spec
+++ b/libxslt-python.spec
@@ -34,6 +34,10 @@ Patch1:         libxslt-do_not_build_doc_nor_xsltproc.patch
 Patch2:         libxslt-random-seed.patch
 # PATCH-FIX-UPSTREAM bsc#1132160 CVE-2019-11068 Fix security framework bypass
 Patch4:         libxslt-CVE-2019-11068.patch
+# PATCH-FIX-UPSTREAM bsc#1140095 CVE-2019-13117 Fix uninitialized read of xsl:number token     
+Patch5:         libxslt-CVE-2019-13117.patch
+# PATCH-FIX-UPSTREAM bsc#1140101 CVE-2019-13118 Fix uninitialized read with UTF-8 grouping chars
+Patch6:         libxslt-CVE-2019-13118.patch
 BuildRequires:  libgcrypt-devel
 BuildRequires:  libgpg-error-devel
 BuildRequires:  libtool
@@ -61,6 +65,8 @@ XSLT language with XPath functions written in Python.
 %patch1
 %patch2 -p1
 %patch4 -p1
+%patch5 -p1
+%patch6 -p1
 
 %build
 autoreconf -fvi
diff --git a/libxslt.changes b/libxslt.changes
index 8d42c8a..affedf1 100644
--- a/libxslt.changes
+++ b/libxslt.changes
@@ -1,3 +1,21 @@
+-------------------------------------------------------------------
+Tue Jul  2 15:02:27 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
+
+- Security fix: [bsc#1140101, CVE-2019-13118]
+  * Fix uninitialized read with UTF-8 grouping chars. Read of
+    uninitialized stack data due to too narrow xsl:number
+    instruction and an invalid character
+  * Added libxslt-CVE-2019-13118.patch
+
+-------------------------------------------------------------------
+Tue Jul  2 15:00:56 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
+
+- Security fix: [bsc#1140095, CVE-2019-13117]
+  * Fix uninitialized read of xsl:number token. An xsl number with
+    certain format strings could lead to a uninitialized read in
+    xsltNumberFormatInsertNumbers
+  * Added libxslt-CVE-2019-13117.patch
+
 -------------------------------------------------------------------
 Thu Apr 11 06:06:01 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
 
diff --git a/libxslt.spec b/libxslt.spec
index ed1a584..c13a1d8 100644
--- a/libxslt.spec
+++ b/libxslt.spec
@@ -34,8 +34,12 @@ Patch0:         %{name}-1.1.24-no-net-autobuild.patch
 Patch1:         libxslt-config-fixes.patch
 Patch2:         0009-Make-generate-id-deterministic.patch
 Patch3:         libxslt-random-seed.patch
-# PATCH-FIX-UPSTREAM bsc#1132160 CVE-2019-11068 Fix security framework bypass 
+# PATCH-FIX-UPSTREAM bsc#1132160 CVE-2019-11068 Fix security framework bypass
 Patch4:         libxslt-CVE-2019-11068.patch
+# PATCH-FIX-UPSTREAM bsc#1140095 CVE-2019-13117 Fix uninitialized read of xsl:number token
+Patch5:         libxslt-CVE-2019-13117.patch
+# PATCH-FIX-UPSTREAM bsc#1140101 CVE-2019-13118 Fix uninitialized read with UTF-8 grouping chars
+Patch6:         libxslt-CVE-2019-13118.patch
 BuildRequires:  libgcrypt-devel
 BuildRequires:  libgpg-error-devel
 BuildRequires:  libtool
@@ -105,6 +109,8 @@ xtend the
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
+%patch5 -p1
+%patch6 -p1
 
 %build
 autoreconf -fvi